2

We are running RHN Satellite and RHEL 6.3 servers with a frozen RHEL 6.3-channel.

What are the best practices in keeping older RHEL 6.3-servers secure?

It is important that:

  • We do not get new features that can break applications
  • We do get the latest security updates

So...

  • Should we push all RHN errata from the official Red Hat channel to our cloned frozen 6.3 channel?
  • Does this not update the software to the latest version? Because we do not want software updates that can possibly break applications, just the major security updates.
ujjain
  • 3,963
  • 15
  • 50
  • 88
  • A lot of the time, in open source software, the distinction between a security update and a feature update isn't clear. In many cases it isn't even possible to separate these updates, because they are released together, and security updates are often released after feature releases and not backported. – Falcon Momot Jul 23 '13 at 07:25
  • So Red Hat does not release errata for RHEL 6.2 and any RHEL 6.3-server is by default insecure after a year, no matter what we do? – ujjain Jul 23 '13 at 07:26
  • It's all relative; there's lots of undisclosed 0day out there and nearly everything can be broken into with enough effort and resources. Running old software is to be avoided in general from a security standpoint; updating is generally better than not, but doesn't make things totally secure. My point, however, was merely that security updates and feature updates aren't always differentiable, and if you are worried about breakage you should test first like dmourati says, and update everything you can. – Falcon Momot Jul 23 '13 at 07:31

2 Answers2

6

You pay Red Hat for Extended Update Support. This is the only supported way to avoid updating to the latest service pack, and is subject to availability. It's not offered for all point releases.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • This is the correct answer. It appears all 6.x updates during Production 1 phase are going to be EUS releases. Note that EUS support for a given minor release does stop eventually, it doesn't let you stay on a particular version forever, just lets you have a longer lifecycle between minor releases. https://access.redhat.com/support/policy/updates/errata/ – suprjami Jul 25 '13 at 11:36
3

We do not get new features that can break applications

I think this is a canard. Update all in a staging environment and run regression. I'd be very surprised if you uncovered an update in the RHEL releases that broke your application.

dmourati
  • 24,720
  • 2
  • 40
  • 69
  • You should try RHEL 6.6. It broke a lot of legacy stuff, especially poorly written "enterprise" scripts for poorly written "enterprise" software. And then there was the unexpected openssl upgrade in 6.5 which broke lots of third-party apps... – Michael Hampton Dec 29 '14 at 08:11
  • Ouch, okay. My answer was a little flip. – dmourati Dec 29 '14 at 18:07